Card Number: what it is and how it works

What a card number is

The card number — sometimes called the credit card number or PAN (Primary Account Number) — is the unique sequence of digits embossed or printed on the front of a payment card. It's the single most important identifier in any card transaction: the number that links a purchase to a specific account at a specific bank.

Most cards carry 16 digits, though American Express uses 15 and Diners Club uses 14. The length varies by card network, but the structure is always the same: a sequence of digit groups, each carrying specific information that payment systems use to route and validate transactions.

What the digits mean

A card number isn't random. Every group of digits carries a specific piece of information.

The first digit: industry identifier

The very first digit signals which industry issued the card. Cards beginning with 4 are Visa. Cards starting with 5 (or in the 2221–2720 range) are Mastercard. A leading 3 means American Express, Diners Club or JCB. Cards starting with 6 are often Discover or UnionPay. This first digit is called the Major Industry Identifier (MII) and is technically the first character of the BIN.

The BIN: Bank Identification Number

The first six to eight digits form the Bank Identification Number, or BIN — also called the Issuer Identification Number (IIN). The BIN identifies the institution that issued the card and the card type: standard consumer, premium, corporate, prepaid and so on. Payment processors read the BIN to route each transaction to the correct issuing bank for authorisation.

The account number

The digits between the BIN and the final check digit are the individual account number assigned by the issuing bank to that specific cardholder. This is what makes each card unique within a given bank's portfolio.

The Luhn check digit

The final digit is produced by the Luhn algorithm — a simple mathematical formula that catches data-entry errors. If someone miskeys a single digit when entering a card number online or over the phone, the Luhn check fails and the system rejects the number before it reaches the payment network. This saves processing time and stops payments being applied to the wrong account. It doesn't prevent fraud — a criminal who copies a real card number already has a valid Luhn digit — but it eliminates honest mistakes.

How many digits are on a card?

The number of digits depends on the card network:

• Visa: 16 digits
• Mastercard: 16 digits
• American Express: 15 digits
• Discover: 16 digits
• Diners Club: 14 digits
• JCB: 15 or 16 digits

ISO/IEC 7812 (the international standard for card numbering) allows PANs of up to 19 digits, and some prepaid and proprietary card programmes use lengths outside the typical 15–16 range.

Why card numbers need protection

The card number is the key that enables spending from someone else's account. In a card-not-present transaction — online, over the phone or by mail — the card number combined with the expiry date and security code is usually all that's needed to make a purchase. No PIN, no chip, no signature.

This makes card numbers valuable to criminals. They're traded in bulk on dark web marketplaces, harvested through phishing, stolen in data breaches and captured through skimming. A single breach at a large retailer can expose millions of numbers at once.

PCI DSS exists specifically to protect card numbers and other cardholder data wherever they appear. The standard defines PCI scope by card number: if a system handles or could handle the full PAN, PCI DSS applies to it. Reducing the number of places the full PAN appears is one of the most effective ways to reduce compliance burden.

Card masking

PCI DSS requires that whenever a card number is displayed — on a screen, receipt, email confirmation or report — it must be masked to show no more than the first six and last four digits. In practice most businesses show only the last four, which is enough for a customer to identify which card was used without exposing enough for fraud.

This applies everywhere: agent screens, customer-facing receipts, management reports and transaction logs. The full PAN should only be visible to someone with a specific, documented business need, and even then access should be logged and monitored.

Is it safe to read a card number aloud over the phone?

Giving a card number verbally over the phone is one of the riskier ways to pay, because the number is exposed in multiple places at once: the agent hears it, the call recording captures it, any screen-monitoring tool logs it, and the agent's workstation processes it. Each of these is a potential point of compromise, and each one brings the agent's environment into PCI DSS scope.

DTMF masking removes this problem. Instead of speaking the card number, the customer keys it on their phone keypad. The tones are masked before reaching the agent — the agent stays on the line and guides the customer but never hears the digits. The number goes directly to the payment processor. Call recordings contain no trace of it. The agent's environment exits PCI scope entirely for that piece of data.

Storing card numbers

Merchants can store card numbers under PCI DSS, but the requirements are strict. The number must be rendered unreadable through encryption, tokenisation, truncation or hashing. Access must be restricted to those with a documented business need. Retention periods must be defined and enforced.

For most businesses, the cleanest approach is not to store card numbers at all. If you need to reference a transaction, use a token or the last four digits. If you need to charge a customer again in the future, use tokenisation through your payment processor — the real card number stays in their secure vault, not your database.

What to do if a card number may have been compromised

If you believe card numbers may have been exposed — through a breach, an insider threat or any other means — notify your acquiring bank and payment processor straight away. Time matters: every hour of delay extends the window in which a criminal can use stolen data. Your processor will guide you through incident response, which may include engaging a PCI Forensic Investigator (PFI) and notifying affected cardholders. Delaying makes everything worse — for the cardholders, for your business and for your regulatory position.